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In this paper, we give a simple proof of the fact that the optimal collective attacks against 
continous-variable quantum key distribution with a Gaussian modulation are Gaussian attacks. 
Our proof, which makes use of symmetry properties of the protocol in phase-space, is particularly 
relevant for the finite-key analysis of the protocol, and therefore for practical applications. 



I. INTRODUCTION 

Quantum key distribution (QKD) is a cryptographic 
primitive allowing two distant parties, traditionally re- 
ferred to as Alice and Bob, to establish a secret key 
This key can later be used to secure sensitive commu- 
nication thanks to one-time pad for instance. QKD has 
received a lot of attention lately as it is the first appli- 
cation of quantum information science which could be 
developed on a large scale. For instance, metropolitan 
networks are certainly compatible with present technol- 
ogy, as was recently demonstrated in Vienna with the 
SECOQC project 0]. 

Historically, QKD protocols have been using discrete 
variables, meaning that Alice and Bob exchange informa- 
tion encoded on a finite-dimensional Hilbert space such 
as the polarization of a single photon for instance. Hence, 
protocols such as BB84 |J] have been studied for a long 
time and their unconditional security is today well estab- 
lished [1], at least in a scenario where side-channels are 
not considered @. 

More recently, it was suggested that one could encode 
information on continuous variables in phase-space to 
perform QKD Practical schemes requiring only co- 
herent states together with an homodyne detection were 
introduced by Grosshans and Grangier in 2002 (GG02), 
first with direct and then with reverse [ 3 re concilia- 
tion, and later successfully implemented These 
protocols were proven secure against collective attacks 
[111 , [l^ , which are optimal in the asymptotic limit [l^ . 
Let us recall that the optimal collective attacks are Gaus- 
sian attacks, meaning that the eavesdropper operation 
corresponds to a Gaussian map. 

The basic idea of the protocol GG02 is the following: 
Alice draws two random numbers qa and pA with a Gaus- 
sian probability distribution and sends the coherent state 
\qA + ipA) to Bob. Bob chooses a random quadrature 
and performs an homodyne detection for that quadra- 
ture: he then obtains the classical variable y, a noisy 
version of either qa or pA- He finally informs Alice of 
his choice of quadrature. Alice keeps her relevant classi- 



cal variable which she notes x. Repeating this operation 
n times, Alice and Bob end up with two correlated vec- 
tors X = • • • , Xn) and y = (yi, • • • , Hn) from which 
they can distill a secret key by applying the usual clas- 
sical post-processing composed of parameter estimation, 
error reconciliation and privacy amplification. Note that 
a small variation of this protocol consists in performing 
an heterodyne detection on Bob's side instead of an ho- 
modyne detection 11411 . The security of this variant was 
investigated in 1^, 16[ where the optimal individual at- 
tack is cxplicited. 

Other variations of this GGG2 protocol consist in re- 
placin g th e Gaussian modulation with a discrete modu- 
lation [l^-lH, IstI. or adding a post-selection procedure 
to the protocolHS-i^l- 

One main advantage of the protocols with a Gaussian 
modulation but without post-selection is that they dis- 
play a high level of symmetry. In particular, a specific 
symmetry of these protocols in phase-space was recently 
investigated in (28| and appears to be a good approach 
in order to improve the known lower bounds of the se- 
cret key rate against arbitrary attacks in the finite size 
regime. Remember that Ref. proves that collective 
attacks are optimal in the asymptotic regime thanks to a 
de Finetti-type theorem which gives rather conservative 
bounds when finite size effects are taken into account. 
A general framework for the finite size analysis of QKD 
was developped in p9| and the first numerical results ap- 
pear to be rather pessimistic [s^l, hence giving incentive 
to improve known bounds, in particular with the help 
of symmetries. Partial results in this direction, such as 
a de Finetti -typ e theorem in phase-space, were already 
obtained in [3l|. Whereas in [2^, the authors examined 
the possibility to use the specific symmetries of GG02 to 
prove the security of the protocol against general attacks, 
our goal here is more modest as we show that these sym- 
metries allow one to easily recover known results concern- 
ing the optimality of Gaussian attacks among all collec- 
tive attacks. A novelty of our proof compared to previous 
techniques [ll|, 113 that it can be applied in the finite 
size scenario. 
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II. A NEW SECURITY PROOF AGAINST 
COLLECTIVE ATTACKS 

The main idea of our proof is to use symmetries of the 
protocol to simpUfy the analysis of its security. In gen- 
eral, the security of a usual Prepare and Measure protocol 
where Alice prepares and sends quantum states to Bob 
(coherent states with a Gaussian modulation in the case 
of GG02) is analysed through an equivalent entangled 
version of the protocol. For GG02, this entangled ver- 
sion consists for Alice in preparing two-mode squeezed 
vacuua, measuring one mode of these states with an het- 
erodyne detection and sendin g th e other mode to Bob 
through the quantum channel [32| . 

The security of the entangled protocol is then anal- 
ysed through the n-mode bipartite quantum state pab G 
(J-La ® Hb)" shared by Ahce and Bob before they per- 
form their measurements. Here, Ha and Hb refer re- 
spectively to Alice and Bob's single mode Hilbert spaces. 
Unfortunately, the total Hilbert space (Ha^Hb)^" is 
usually too big to allow for a complete analysis. 

A solution is therefore to use specific symmetries of the 
protocol in order to show that only a symmetric subspace 
of {Ha ^ Hb)'^" needs to be considered. Indeed, one can 
show that if a QKD protocol is invariant under a certain 
class of symmetries, say invariance under permutation of 
the subsystems of Alice and Bob, then one can safely 
assume that the quantum state pab displays the same 
symmetry. 

This might look a bit suspicious at first sight as one 
may object that the eavesdropper is free to break the 
symmetry of the state, hence invalidating the previous 
statement. The way to solve this apparent paradox is 
to recall that, without loss of generality, one can always 
assume that Eve is given a purification {ipjABE of pab- 
Since the protocol is invariant under the group of sym- 
metry Q, Alice and Bob can consider the state pab which 
is obtained by averaging their initial state pab over the 
group Q. As far as Alice and Bob are concerned, applying 
the QKD protocol (measurements, parameter estimation, 
reconciliation and privacy amplification) to the state pab 
is indistinguishable from applying it to the state pab ■ 
Now, because the state pab is invariant under the action 
oi G, it is possible to find a purification \'iP)abe of this 
state such that g\'tp)ABE = \'4')abe for aU g £ G- This 
was proven in the case of the symmetric group Sn in Q 
and in the case of locally compact groups in 3^ . Then 
it is shown in [33| that there exists a completely posi- 
tive trace-preserving map T mapping \'iJj)abe to \4')abe- 
Hence, the eavesdropper has at least as much information 
when her state corresponds to the symmetric purification 
\iP)abe as when her state corresponds to the (non nec- 
essary symmetric) purification \iP)abe- This means that 
considering the state \iP)abe is sufficient to evaluate the 
security of the protocol. As a conclusion, Alice and Bob 
can always assume that their bipartite state displays the 
same symmetry properties as the QKD protocol. 

In addition to use specific symmetries of the proto- 



col, one can simplify the security analysis further by re- 
stricting the eavesdropper's action to a certain class of 
attacks, for instance, collective attacks. This means that 
the bipartite quantum state shared by Alice and Bob is 
assumed to be independent and identically distributed 
(i.i.d.), that is, that there exists a probability distribu- 
tion p{<7ab) on Ha ® Hb such that: 



PAB ^ J Cr%p{(TAB )daAB- 



(1) 



In the case of protocols such as BB84 which arc in- 
variant under permutation of Alice and Bob's subsys- 
tems, it is useless to consider symmetries of the protocol 
when considering collective attacks since an i.i.d. state 
is clearly invariant under permutation of its subsystems. 
The converse property is not true in general. However, 



the exponential version of de Finetti theorem [3J] and 
the post-selection technique introduced in [ssj show that 
it also holds asymptotically. 

In the case of continuous-variable QKD protocols, one 
can consider a specific symmetry in phase-space [2^ 
which is not strictly implied by collective attacks. The 
protocol GG02 is indeed invariant under conjugate pas- 
sive symplectic operations applied by Alice and Bob. 
Physically, this invariance means that the protocol is 
not affected when Alice processes her n modes into any 
passive linear interferometer while Bob processes his n 
modes into the passive linear interferometer effecting the 
conjugate orthogonal transformation in phase space. To 
see this, it is enough to show that the reconciliation pro- 
cedure as well as the parameter estimation would perform 
equally well whether or not conjugate passive symplectic 
operations are applied. Let us consider first the reconcili- 
ation procedure which consists in turning Alice and Bob's 
measurement results into a identical bitstrings. Such a 
procedure (see Ref. [HI for a specific example) is de- 
signed to work in the case where Alice's classical data fol- 
low a Gaussian modulation and the correlation between 
Alice and Bob's data are is measured by their covari- 
ance. Since passive symplectic operations in phase space 
correspond to orthogonal transformations for Alice and 
Bob's measurement results, neither the Gaussian modu- 
lation nor the covariance of the data are affected, which 
guarantees that the reconciliation procedure is transpar- 
ent to such transformations. Concerning the parameter 
estimation, which is used in particular to compute Eve's 
information, it is notable that for the protocol GG02, 
only the covariance matrix of the state pab should be 
estimated, and more specifically the transmission and 
excess noise of the quantum channel. Both these quan- 
tities are invariant under any orthogonal transformation 
of the data. This means that the state pab can safely be 
considered to be invariant under conjugate passive Gaus- 
sian operations appied by Alice and Bob. 

Using this symmetry together with the assumption of 
collective attacks leads to a simple proof that the optimal 
collective attacks are Gaussian. More precisely, if the ad- 
versary is restricted to perform a collective attack, Alice 
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and Bob can safely assume that this attack is Gaussian. 
To show this, it is enough to prove that the state pab 
can be considered Gaussian. Indeed, at the beginning of 
the protocol, Alice prepares n two-mode squeezed states, 
which is a 2n-mode Gaussian state. If the quantum state 
shared by Alice and Bob at the end of the protocol is 
also Gaussian, it means that the quantum channel can 
be described as a Gaussian map. Our proof is based on 
the following Lemma. 

Lemma 1. If a bipartite 2n-modal quantum state pab 
(for n > 2) is both i.i.d. and invariant under conju- 
gate passive Gaussian operations, then pab is a Gaussian 
state. 

Proof. Let us first rephrase the lemma in phase-space rep- 
resentation. Any state pab is completely characterized 
by its Wigner function Wp{x,p,y,q) where x,p are n- 
dimensional vectors corresponding to Alice's phase-space 
and y, q correspond to Bob's phase-space. The applica- 
tion of a passive Gaussian operation on Alice's modes and 
of its conjugate operation on Bob's modes maps the state 
p to the state p'. The Wigner function Wp' {x, p, y, q) of p' 
is equal to Wp{x',p', y', q') for the change of coordinates 
{x' ,p' ,y' ,q') = S^{x,p,y,q) and the symplectic map S 
can be written as 



S^S{X,Y) 



f X Y \ 

-Y X 

X^ -Y^ 

V Y^ X^ J 



where the matrices X and Y are such that [36 



X'^X + Y^Y 
X'^Y 



XX'^ 
XY'^ 



YY' 



1 



symmetric. 



(2) 



(3) 
(4) 



In order to prove the lemma, we observe that if any such 
map S leaves the Wigner function invariant, then W can 
only depend on three parameters which are ||a;|p -I- 

+ IklP s-^d X ' y ^ P ' 1 {s. proof of this fact can be 
found in Appendix E]). This means that there exists a 
function / : M+ x M+ x K M such that: 

Wp{x,p,y,q) 

= fiM' + \\p\\'A\y\\' + \\q\\^x-y-p-q). (5) 

Then, since pab is an i.i.d. state, the same must be true 
for /, meaning in particular that 



Xiyi -Piqi 



i=l 



oc 



n -^(^i + ^'^ yi + 9^ 2;.'yi - p^qi), (6) 



which is exactly the characterization of the exponential 
function. Hence, / and also W are exponential in ||a;|p -I- 
IIpIPj + IkiP ^iid X ' y ~ P ' which means that 

the state pab is a Gaussian state. This concludes our 
proof. □ 



The protocol GG02 is invariant under conjugate pas- 
sive symplectic operations applied by Alice and Bob. 
Hence Alice and Bob can safely assume that their state 
Pab displays the same symmetry. Restricting the analy- 
sis to collective attacks, one can use Lemma[T]to conclude 
that the state pab can be considered to be Gaussian. 
Since the inital state produced by Alice, a (Gaussian) 
two-mode squeezed vacuum is transformed through the 
quantum channel into another Gaussian state, this means 
that the action of the channel, that is of the attack, can 
be safely considered to be Gaussian, which gives a simple 
proof that Gaussian attacks are optimal among collective 
attacks. 



III. CONCLUSION AND PERSPECTIVES 

In this paper, we gave an alternative proof that Gaus- 
sian attacks are optimal against GG02 among all collec- 
tive attacks. This new proof makes use of symmetries 
of the protocol in phase-space, and does not require to 
conside r sp ecific properties of the entropy as in previous 
proofs [nl, [l2| . A natural question is whether this tech- 
nique can be exploited for variants of the GG02 protocol. 

Let us consider first protocols with a discrete modula- 
tion, such as [12 . In this case, our new proof cannot be 
applied directly as protocols with a discrete modulation 
are less symmetric than protocols with a Gaussian modu- 
lation. Indeed, not all rotations in phase-space leave the 
protocol invariant: only the orthogonal transformations 
leaving the modulation unchanged, that is, transforma- 
tions belonging to the symmetry group of the hypercube 
are relevant in this case. This group, however, is much 
smaller that the group considered here, and one cannot 
conclude directly that the state pab can be safely con- 
sidered to be Gaussian. Note that this is still true but 
has to be proven with a different approach [2^ |33] based 
on the extremality of Gaussian states (38| . 

The second class of protocols one could consider is pro- 
tocols with a post-selection procedure [23l - [27l |. These 
protocols have not yet be proven secure against general 
collective attacks because it is not known whether Gaus- 
sian attacks are optimal among collective attacks. The 
technique presented in this paper cannot be used either 
for protocols displaying a post-selection step as this post- 
selection explicitly breaks the symmetry of the protocol 
in phase-space. 

In addition to its simplicity, our new proof turns out 
to be particularly useful for the finite size analysis of the 
security of continuous- variable QKD protocols. Indeed, a 
specificity of the finite size analysis is that Alice and Bob 
cannot assume to perfectly know the quantum state they 
share. For continuous-variable protocols in general, this 
is in fact theoretically impossible as their state belongs 
to an infinite dimensional Hilbert space, and therefore 
requires an infinite number of parameters to be fully de- 
scribed. Fortunately, for protocols such as GG02 where 
the state can safely be considered to be Gaussian, Alice 
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and Bob only need to know their covariance matrix which 
depends on three parameters: the modulation variance 
which is chosen by Alice as well as the transmission and 
the excess noise of the quantum channel. These param- 
eters are estimated by revealing part of Alice and Bob's 
data. In order to proceed with this estimation, one needs 
a statistical model and choosing a normal model seems 
quite natural. However, previous proofs of Gaussian op- 
timality presented in [ll|, assume that the covariance 
matrix is known from Alice and Bob and cannot justify 
the use of a normal statistical model for its estimation. 
The proof presented here, on the contrary, allows for such 
a justification (see Appendix [B] for details). 

The fact that our proof applies to finite size analysis is 
crucial as our ultimate goal is clearly to assess the secu- 
rity of practical implementations, which arc necessary fi- 
nite. A general finite-size analysis of continuous- variable 
protocols will be the subject of future work. 



Appendix A: Complete proof of Lemma [T] 

Before considering the general case of Wigner func- 
tions, let us first consider the case of a probability distri- 
bution p(x, y) which is invariant under orthogonal trans- 
formations applied to both x and y. In other words, for 
any R G 0(n), one has p{Rx,Ry) = p(x,y). Such a 
symmetry property clearly implies that p[x, y) can only 
depend on three parameters, namely ||a;||, ||y|| and x ■ y. 
With Wigner functions, the argument is more subtle, and 
is detailed below. 

We want to show that any function : R" x R" x M" x 
E" M, such that W{x,p,y,q) = W{S^{x,p,y,q)) for 
any symplectic transformation S of the form given by 
Eq. [21 only depends on the following three parameters: 

II^^IP + IblP; + IkiP and X ■ y -p - q. 

Our goal is therefore to prove the following: for any 
pair of quadruples {x,p, y, q) and {x' ,p' , y' , q') such that 



\\y\\' 

x-y 



(Al) 



p-q = x -y -p -q 



one has: W{x,p, y, q) — W{x' ,p', y' , q'). 
Let us introduce the following vectors: 

a ~ X + ip , a' ~ x' + ip' 
b = y — iq , b' = y' — iq' . 

The condition I All can be rewritten as: 
||a||2 = lla'lp 

Rc(a|5) = Rc(a'|6') 



(A2) 
(A3) 



(A4) 



where Re(a;) refers to the real part of x. It is sufficient 
to prove that there exists an unitary transformation U G 
U{n) such that Ua = a' and Ub ~ b' . Indeed, one can 
split U into real and imaginary parts: U = X — iY, 



and it is easy to check that S {X, Y) gives the correct 
change of coordinates. Since W is invariant under this 
change of coordinates, one concludes that W{x,p, y, q) = 
W{x\p',y',q'). 

Let us introduce the following notations: A= ||a|p = 
||a'||2,B = ||5||2 = and C = Rc(a|&) =Rc(a'|6')- 

Consider first the case where a and b are colinear. This 
means that b = C/Aa and C = ±\/ AB. Using the 
Cauchy-Schwarz inequality, |C| = \a' ■ b'\ < \\a'\\ ■ \\b'\\ = 
%/ AB with equality if and only if a' and b' are colin- 
ear. This means that a' and 6' are colinear and that 
6' = {C/A)a'. Because ||a|| = ||a'||, the reflexion U 
across the mediator hyperplane of a and a' is a unitary 
transformation that maps a to a'. This reflexion also 
maps b to b'. This ends the proof in the case where a 
and b are colinear. 

Let us now consider the general case where a and b 
are not colinear. It is clear that a' and b' cannot be 
colinear either. We take two bases (a, b, f^, - ■ ■ , /„) and 
(a', 6', /a, • • • , fn) of and use the Gram-Schmidt pro- 
cess to obtain two orthonormal bases B = (ei, • • • ,e„) 
and B' = {e[, ■ ■ ■ , ej^). Note that vectors ei, 62, e'l and e'2 
arc given by: 



ei 



62 



{ei\b)ei 



\\b - (ei|6)ei|| 
b' - {e',\b')e[ 



A 



{e[\b)e[\ 



(A5) 
(A6) 



Let us call U the unitary operator mapping B to B'. It is 
easy to see that U maps a and b to a' and 6', respectively. 
This concludes our proof. 



Appendix B: Normal statistical model 

In this section, we discuss briefly the problem of pa- 
rameter estimation in continuous- variable protocols with 
a Gaussian modulation. This question is particularly rel- 
evant when one is concerned with a finite-size analysis of 
the security of the protocol (a more detailed presentation 
can be found in [sol. |4(|). 

One of the main differences between the asymptotic 
and the finite-size study of a protocol lies in the parame- 
ter estimation. In the former case, one typically assumes 
that the quantum state pab is known from Alice and Bob 
while in the latter case, this state needs being estimated. 

For continuous-variable protocols with a Gaussian 
modulation, it is known that Gaussian attacks are opti- 
mal (among collective attacks) and therefore, the secret 
key rate only depends on the covariance matrix of pab- 
This means that only this covariance matrix, that is, a 
finite number of parameters, needs to be estimated in 
practice. Moreover, using the symmetries described in 
this article, one can see that three parameters are in fact 
sufficient, namely Alice's and Bob's variances, and their 
covariance. More precisely, the covariance matrix 
of the state pab can be assumed to have the following 
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form: 

with (J2 = diag(l, —1, 1, —1, • • • , 1, —1). 

Furthermore, in a Prepare and Measure implementa- 
tion of the protocol, X simply corresponds to Alice's 
modulation variance, which is a priori known from Alice 
and Bob. Hence, only two paramters remain to be esti- 
mated in practice. Asymptotically, this is not a problem 
since one can assume that the parameter estimation is 
done perfectly. However, for a finite-size analysis, which 
is eventually required to prove the security of a practical 
scheme, it is crucial to have an upper bound on the error 
in the parameter estimation. Indeed, in an adversarial 
scenario such as QKD, the legitimate parties should al- 
ways consider the worst covariance matrix compatible 
with their data except with some small probability e. 

This can be easily done once a statistical model is given 
for the data x = (xi, • • • , Xn) and y = • • • , Un) ob- 
served by Alice and Bob, respectively. 

Whereas this could be done even without a model in 
the case of bounded parameters such as the quantum 
bit error rate for discrete- variable QKD protocols, this is 
much more complicated for a priori unbounded such as 
the excess noise in the GG02 protocol. 

Then the demonstration given above that the state 
Pab can be considered Gaussian has a crucial conse- 



quence : since the classical data x and y are obtained 
by performing Gaussian measurements (either homodyne 
or heterodyne detection), the joint distribution of (x, y) 
corresponds to some marginal of a Gaussian Wigner func- 
tion, and therefore it is also Gaussian. As a consequence, 
the variables Xi and jji (for i e {1, • ■ ■ ,ti}) arc related 
through: 

yi = OLXi -I- Zi, (B2) 

where a is a constant and is a Gaussian random vari- 
able: Zi ~ A/'(0,cr^) which is independent of Xi. This 
is the definition of a normal statistical model, where one 
tries to estimate the values of a and (P . For such a model, 
one can bound the errors made in the estimation of both 
a. and cr^, and therefore on Y and Z (since these arc sim- 
ple functions of a and cr^). Finally, and this is a crucial 
step in finite-key analysis, one can compute the worst key 
rate compatible with the data, except with probability e. 
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